The present invention relates to maintaining security information in a distributed environment, and relates more particularly to updating passwords and private keys in a computer network.
Internal business networks, global computer networks, loosely- or tightly-coupled groups of networks, devices linked by wireless connections, mobile computers, and other distributed environments are becoming more important than ever to individuals, businesses, government agencies, and other entities. Distributed environments are also becoming more diverse in their geography, data format, hardware configuration, software platform, and other characteristics. As a result, security concerns are becoming both more important and more complex.
Keys and passwords protecting those keys are widely used to control access to data and other resources in a distributed environment. Keys are often used for authenticating user requests, for encrypting and decrypting digital documents, and for creating and verifying digital signatures on digital documents. Keys include symmetric keys, and asymmetric keys such as public-private key pairs. A given symmetric key may be used, for instance, both to encrypt a document and to decrypt the encrypted document. If a public key is used to encrypt a document, then the private key must be used to decrypt the encrypted document. Public-private key pairs are also useful for digitally signing documents and verifying such digital signatures. Passwords control access to keys and thus act as keys in their own right. Indeed, a key may be used as a password and vice versa.
Keys may be embedded in tokens. Tokens may be xe2x80x9chardxe2x80x9d or xe2x80x9csoftxe2x80x9d. A hard token is a physical device, such as a dongle, a magnetic card, or a PCMCIA card, which must be physically presented to the distributed environment at a particular location in order to gain access to resources through that location. There are generally few or no duplicate copies of a key in a hard token, and the key data is normally restricted to the location at which the hard token is presented.
By contrast, a soft-token is a computer data structure, that is, a collection of digital information organized in a particular way to be recognized and otherwise processed by a computer. If the key is part of a public-private key pair, then the token may include a certificate for authenticating the key. Soft-tokens may be copied and distributed to many locations in the environment, making it unnecessary for the key""s owner to be physically present at a hard-token-ready machine to present the token. Soft-token distribution is accomplished using network connections, memory copies, and similar operations.
In the absence of security concerns, soft-tokens would be easier to work with than hard tokens: they are cheaper to make, easier to transport, easier to store, and easier to modify. Unfortunately, these same characteristics make soft-tokens vulnerable to security breaches. Unless appropriate steps are taken, fake keys and passwords can be made and substituted for authorized keys and passwords, and authorized keys and passwords can be modified to grant access to unauthorized entities.
In particular, some assurance of authenticity is needed when a new key or a new password arrives at a location to be entered as the replacement for the current key or current password. Otherwise one is forced to choose between forbidding changes to keys and passwords, on the one hand, and risking unauthorized access after a key or password is updated, on the other. Forbidding changes makes the distributed environment much less convenient and effective for administrators and other users. Accordingly, novel systems, devices, and methods for secure key and password updates are disclosed and claimed herein.
The present invention provides methods, systems, and devices for maintaining a soft-token store. In particular, the invention provides tools for securely updating private keys, passwords, and other confidential information in a distributed environment. One method of the invention updates a password which protects a key stored in the distributed environment. According to this method, a user""s current password and new password are first obtained. Next a transaction is created including at least a current-password-encrypted-key (formed by encrypting the user""s key using the current password) and a new-password-encrypted-key (formed by encrypting the user""s key using the new password). The transaction is sent to an update location in the distributed environment which does not yet recognize the new password. The update location may not recognize any password for the user as yet, or it might only recognize a previously supplied different password. Regardless, the current-password-encrypted-key in the transaction is compared with a current-password-encrypted-key previously stored at the update location to determine whether they are equivalent. If they are, then the new-password-encrypted-key is entered at the update location so that the new password will be recognized there. This is accomplished without ever sending the plain text form of the key or the password across the xe2x80x9cwirexe2x80x9d between the distributed locations.